Radius-based windows authentication

[Phil Mayers]

Mike Perdide wrote:
> Hello,
> 
> I'm working on VLAN assignement with FreeRadius, with windows XP users.
> The FreeRadius server is using openLdap, and works overs EAP-TTLS. 
> 
> The goal of my work is for the users to be on different Vlans depending on 
> their status. 
> 
> The radius part is working fine, since the switch sets the right vlan when the 
> user gives his login and password.
> 
> My question was : is it possible to authenticate via radius at the windows 
> login screen ?

Is the windows machine a domain member?

> 
> For now, it is using the samba database, but if I want to set up a dynamic 
> vlan assignement, the network needs to be up before the samba partitions are 
> mounted.

This last paragraph doesn't make sense to me. I don't know what "samba 
database" and "samba partitions" are.

I think you are asking "is it possible for the client to do 802.1x with 
the username/password typed into the login box" and the answer is "yes". 
There are three ways to achieve this (that I know of).

  1. Using the windows native supplicant and machine account 
authentication. Basically the process is this:
     * machine powers on - no-one logged in
     * machine uses its own domain account to login "host/$machinename"
     * user presses ctrl+alt+del
     * machine validates credentials to the domain controller, over the 
current network connection
     * machine downloads the users profile
     * once the profile is download, the machine does an EAP-Logoff and 
then re-authenticates using the user credentials
     * when the user logs out, the machine does and EAP-Logoff and then 
logs back in using the machine account

  2. Using cached profiles - the user logs in without a network 
connection using a cached profile, then 802.1x starts

  3. Using a different supplicant which has a GINA plugin; I believe the 
Odyssey supplicant (which you have to pay for) can do this. SecureW2 
(which is open source) may. Obviously you have to install software.